Millions of Vulns

We regularly come across companies that have millions, tens of millions, or even “hundreds of millions” of vulnerabilities. Yes, you read that right. Those are insanely large numbers. Due to the way patching works, many of these companies were eventually able to make a significant dent in that number. Even so, many were still left with single-digit millions of unfixed vulnerabilities. That alone is already an interesting story.

‍

But my takeaway is different.

‍

Why, if some of these companies had tens or even hundreds of millions of vulnerabilities, didn’t anyone ever exploit even one of them?

‍

Is the entire concept of vulnerability counts completely meaningless? Why are we reporting these numbers to the board when they don’t appear to impact losses? I’m not saying that an attacker could never use one of those vulnerabilities in the future. However, I am saying that during the time when those hundreds of millions of vulnerabilities existed, and in the millions that have remained since then, not a single one appeared to be exploited, by any measure the company has. It turns out that for-profit adversaries don’t care about those vulnerabilities.

‍

Now for the obvious objection: “But Robert, you don’t know if they were used.” Okay, but if you have hundreds of millions of vulnerabilities, you are basically one giant walking vulnerability. You could kick over a rock and exploit these companies. So, adversaries should have completely ripped their networks apart, spamming like crazy from their environments, mining bitcoin, and doing all sorts of other nasty things.

But they aren’t.

‍

So sure, the naysayers are right: I can’t know for certain that they were never compromised. But what I can tell you for a fact is that these companies are still in business and never noticed anything nefarious happening. So, if there are breaches occurring, they have had no material impact on any part of their organizations.

‍

That, to me, is very telling about the lack of utility of vulnerability counts when it comes to understanding and addressing risk. It also shows how pointless most vulnerability management is, by extension, since the sheer volume of vulnerabilities is precisely what it optimizes for.